Syslog Flow Export
Table of Contents
Expand all | Collapse all
-
-
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Enable IoT Device Visibility in Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Prisma SD-WAN Standard VPN
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
-
- Native SASE Integration with Prisma SD-WAN
- Connect a Single Prisma SD-WAN Site to Prisma Access
- Connect Multiple Prisma SD-WAN Sites to Prisma Access
- Edit Application Policy Network Rules
- Understand Service and Data Center Groups
- Verify Standard VPN Endpoints
- Configure Standard Groups
- Assign Domains to Sites
- Prisma SD-WAN Incidents and Alerts
Syslog Flow Export
Prisma SD-WAN will now generate Syslog messages on initial flow-rule classification and
end-of-flow for all flows handled by the ION device.
Generate Syslog messages on initial flow-rule
classification and end-of-flow for all flows handled by the ION
device. These Syslog messages are in RFC 5424 format. You may configure
to export flow logs from an ION device to one or more Syslog servers.
The minimum device software version required for flow logging
is Release 5.1.17 or Release 5.2.3.
The
Format
of the flow log and description
of the different fields exported in the flow logs are listed below: Some of the fields are reserved for future use, and therefore,
will not be populated in the flow log.
Field Name | Description |
|---|---|
event time | Time event occurred on the ION device |
src ip | Source IP address |
dst ip | Destination IP address |
dst port | Destination port |
protocol name | Protocol name |
reserved for future use | Field will be always blank in cgxFlowLogV1 |
reserved for future use | Field will be always blank in cgxFlowLogV1 |
pkts sent | Number of packets sent from src ip to dst
ip |
pkts recvd | Number of packets received from dst ip by
src ip |
bytes sent | Total bytes sent from src ip to dst ip |
bytes recvd | Total bytes received from dst ip by src
ip |
src interface | Interface from which traffic originated |
dst interface | Interface from which traffic egressed |
path id | Prisma SD-WAN Path ID of the WAN Path |
app name | Name of Prisma SD-WAN -matched Application |
flow event | Event that triggered flow export:
|
zbfw classification rules | One or more ZBFW classification rules separated
by a semi-colon(;). ZBFW classification rules include: Rule
Name: Source Zone Name: Destination Zone Name: Action: Action Code
Possible
Action Code Values:
|
Sample flow log in RFC 5424 format as shown below:
<13>1 2020-01-28T23:46:17.000035+00:00 T1S3_SPOKE1 cgxFlowLogV1 13593 - -2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,LondonPriWI1,15796434157670062,enterprise-http,New Flow,Allow-All:allow:1
The above Syslog message has a header and a body. The Syslog
message values populated for the header and the body are:
Syslog Message Header | Header Component Sample Values |
|---|---|
Priority | <13> |
Version | 1 |
Syslog export time in UTC | 2020-01-28T23:46:17.000035+00:00 |
Element device name | T1S3_SPOKE1 |
App name to identify flow event logs | cgxFlowLogV1 |
Process id of log generator | 13593 |
Message id (empty) | Message id field is not populated by the
ION device at this time. |
Structured data (empty) | Structured data field is not populated by
the ION device at this time. |
Syslog Message Body | Syslog Message Sample Body |
Flow event log in CSV format | 2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,LondonPriWI1,15796434157670062,enterprise-http,New
Flow,Allow-All:allow:1 |
Syslog message body shown above in CSV format can be interpreted
as:
Headers | Sample Values |
|---|---|
Time event happened | 2020-01-28T23:46:17 |
src ip | 10.2.53.102 |
src port | 52520 |
dst ip | 10.2.13.100 |
dst port | 80 |
protocol name | tcp |
pkts sent | 0 |
pkts recvd | 0 |
bytes sent | 0 |
bytes recvd | 0 |
dst interface | LondonPriWI1 |
path id | 15796434157670062 |
app name | enterprise-http |
flow event | New Flow |
zbfw classification rules | Allow-All:self:unknown:allow:1 |